FreeKB - Firewalld Getting Started with the firewall-config command
Getting Started with the firewall-config command

Use apt-get or yum to install firewalld.

apt-get install firewalld
yum install firewalld


The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to start and enable firewalld.

systemctl enable firewalld
systemctl start firewalld
systemctl status firewalld


If your system is using init, use the chkconfig and service commands to start and enable firewalld.

chkconfig firewalld on
service firewalld start
service firewalld status


The firewall-config command will open the graphical firewalld configuration utility. You must be using a graphical version of Linux to be able to produce the graphical firewall-config utility. If you are using a text-only environment, use firewall-cmd.

firewall-config &



Runtime / Permanent

Near the upper left hand corner of the graphical firewall utility is the Configuration drop-down selector. When set to Runtime, changes made will take effect immediately, but will not be permanent. When set to Permanent, the change will not take effect until the firewall is reloaded, and will be permanent.


Reload the firewall

Select Option > Reload firewalld to reload the firewall.



Firewalld uses zones, such as public, internal, and dmz. Each zone has its own unique set of rules. For example, public zone can be bound to eth0 and only allow HTTP, and internal zone can be bound to eth1 and allow both HTTP and SSH.


Selecting a zone in the left panel of the graphical firewalld utility will display the unique settings for the zone. The default zone can be changed by selecting Options > Change Default Zone. Select the new default zone, and select OK.



Each zone can be bound to one or more interfaces. In this example, public zone is bound to one interface, wlan0.



Services can be allowed by simply checking the services that should be allowed. Remember to select Runtime for the change to take effect immediately or Permanent and then Option > Reload Firewall for the change to be permanent.


Each service has a predefined port and protocol being used by the service. Select the Services tab, and then select a service to list the port and protocol the service allows.



A port can be allowed by selecting the Ports tab and adding the port.


Lock down

By default, the firewall will not be locked down. To lock down the firewall, select Options > Lockdown. Locking down the firewall prevents modification from being made to the firewall.


Panic mode

Panic mode will drop all incoming and outgoing packets, and active connections will be terminated after a period of time. To enable panic mode, select Options > Panic mode, and then reload the firewall.

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter c1e07 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |